Hi Can anyone help me understand why some CVE's show in the changelog but not on the security report?
Example is CVE-2016-5388 which shows as fixed in 8.0.37 changelog but missing on the security report. This has come up in a audit and hard to explain which is the System of Record information for security fixes. https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.5_and_8.0.37 https://tomcat.apache.org/tomcat-8.0-doc/changelog.html Thanks!
